Windows Analysis Report Quotation for Enq # 90038355.exe

Overview

General Information

Sample Name: Quotation for Enq # 90038355.exe
Analysis ID: 483892
MD5: 344ba2ed272ba7e67556b82f312ea816
SHA1: e1d5527552a9879bfded79c3c76a673913e15ada
SHA256: 9b4cb73e87053b62028a877f31ffba62960560bf707fa0458b3acc0899e942dd
Tags: agentteslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Yara detected AgentTesla
Yara detected AntiVM3
Sigma detected: MSBuild connects to smtp port
Installs a global keyboard hook
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large strings
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Binary contains a suspicious time stamp
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 0.2.Quotation for Enq # 90038355.exe.420acc8.1.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "share@phoenixfinance.com.bd", "Password": "Pfil*786", "Host": "mail.phoenixfinance.com.bd"}
Multi AV Scanner detection for submitted file
Source: Quotation for Enq # 90038355.exe Virustotal: Detection: 32% Perma Link
Source: Quotation for Enq # 90038355.exe ReversingLabs: Detection: 26%
Machine Learning detection for sample
Source: Quotation for Enq # 90038355.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 2.2.MSBuild.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: Quotation for Enq # 90038355.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Quotation for Enq # 90038355.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

barindex
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 49681 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 50120 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49688
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50119
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49681
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50119 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50120
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: MSBuild.exe, 00000002.00000002.933029235.0000000003351000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: MSBuild.exe, 00000002.00000002.933029235.0000000003351000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: MSBuild.exe, 00000002.00000002.935633413.00000000064A0000.00000004.00000001.sdmp String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: MSBuild.exe, 00000002.00000002.933029235.0000000003351000.00000004.00000001.sdmp String found in binary or memory: http://bJvmVK.com
Source: MSBuild.exe, 00000002.00000002.935633413.00000000064A0000.00000004.00000001.sdmp String found in binary or memory: http://cps.letsencrypt.org0
Source: MSBuild.exe, 00000002.00000002.935578751.000000000648B000.00000004.00000001.sdmp String found in binary or memory: http://cps.root-x1.letsenc
Source: MSBuild.exe, 00000002.00000002.935633413.00000000064A0000.00000004.00000001.sdmp String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: MSBuild.exe, 00000002.00000002.935633413.00000000064A0000.00000004.00000001.sdmp String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: MSBuild.exe, 00000002.00000002.934081784.0000000003706000.00000004.00000001.sdmp String found in binary or memory: http://mail.phoenixfinance.com.bd
Source: MSBuild.exe, 00000002.00000002.935633413.00000000064A0000.00000004.00000001.sdmp String found in binary or memory: http://r3.i.lencr.org/0v
Source: MSBuild.exe, 00000002.00000002.935633413.00000000064A0000.00000004.00000001.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: MSBuild.exe, 00000002.00000002.935633413.00000000064A0000.00000004.00000001.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: MSBuild.exe, 00000002.00000002.935633413.00000000064A0000.00000004.00000001.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: MSBuild.exe, 00000002.00000002.933029235.0000000003351000.00000004.00000001.sdmp String found in binary or memory: https://YWRIJujMGl.org
Source: MSBuild.exe, 00000002.00000002.933029235.0000000003351000.00000004.00000001.sdmp String found in binary or memory: https://YWRIJujMGl.orgD0=
Source: MSBuild.exe, 00000002.00000002.933029235.0000000003351000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%
Source: MSBuild.exe, 00000002.00000002.933029235.0000000003351000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: Quotation for Enq # 90038355.exe, 00000000.00000002.670463877.00000000043B4000.00000004.00000001.sdmp, MSBuild.exe, 00000002.00000002.931030895.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: MSBuild.exe, 00000002.00000002.933029235.0000000003351000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown DNS traffic detected: queries for: mail.phoenixfinance.com.bd

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a global keyboard hook
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Creates a DirectInput object (often for capturing keystrokes)
Source: Quotation for Enq # 90038355.exe, 00000000.00000002.669555775.00000000015AB000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Creates a window with clipboard capturing capabilities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary:

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Quotation for Enq # 90038355.exe
.NET source code contains very large strings
Source: Quotation for Enq # 90038355.exe, Forms/mainForm.cs Long String: Length: 38272
Source: 0.0.Quotation for Enq # 90038355.exe.e60000.0.unpack, Forms/mainForm.cs Long String: Length: 38272
Source: 0.2.Quotation for Enq # 90038355.exe.e60000.0.unpack, Forms/mainForm.cs Long String: Length: 38272
Uses 32bit PE files
Source: Quotation for Enq # 90038355.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Detected potential crypto function
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Code function: 0_2_0159C124 0_2_0159C124
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Code function: 0_2_0159E570 0_2_0159E570
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Code function: 0_2_0159E563 0_2_0159E563
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Code function: 0_2_05143275 0_2_05143275
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Code function: 0_2_05142E90 0_2_05142E90
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Code function: 0_2_05143B48 0_2_05143B48
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Code function: 0_2_05146BB8 0_2_05146BB8
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Code function: 0_2_05141478 0_2_05141478
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Code function: 0_2_05141468 0_2_05141468
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Code function: 0_2_051434A8 0_2_051434A8
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Code function: 0_2_051437B0 0_2_051437B0
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Code function: 0_2_051437C0 0_2_051437C0
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Code function: 0_2_05143D41 0_2_05143D41
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Code function: 0_2_05140D78 0_2_05140D78
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Code function: 0_2_05140D67 0_2_05140D67
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Code function: 0_2_05142E80 0_2_05142E80
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Code function: 0_2_05143B39 0_2_05143B39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_05E2B6CC 2_2_05E2B6CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_05E2D158 2_2_05E2D158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_05E21360 2_2_05E21360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_05E2D868 2_2_05E2D868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_066DD65F 2_2_066DD65F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_066D9F94 2_2_066D9F94
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_066D5D78 2_2_066D5D78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_066DDAB8 2_2_066DDAB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_066DBBC1 2_2_066DBBC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_066D0086 2_2_066D0086
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_066D6E68 2_2_066D6E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_066D6E5C 2_2_066D6E5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_066D8D70 2_2_066D8D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_07172C58 2_2_07172C58
Sample file is different than original file name gathered from version info
Source: Quotation for Enq # 90038355.exe Binary or memory string: OriginalFilename vs Quotation for Enq # 90038355.exe
Source: Quotation for Enq # 90038355.exe, 00000000.00000000.661886892.0000000000E62000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameEVENTFILTERDESCRIPT.exe4 vs Quotation for Enq # 90038355.exe
Source: Quotation for Enq # 90038355.exe, 00000000.00000002.669711456.0000000003141000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamejsUtdMNBeuhbNnokaRBAyEynyJeXUAQH.exe4 vs Quotation for Enq # 90038355.exe
Source: Quotation for Enq # 90038355.exe, 00000000.00000002.670396850.0000000004311000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCF_Secretaria.dll< vs Quotation for Enq # 90038355.exe
Source: Quotation for Enq # 90038355.exe, 00000000.00000002.669555775.00000000015AB000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Quotation for Enq # 90038355.exe
Source: Quotation for Enq # 90038355.exe Binary or memory string: OriginalFilenameEVENTFILTERDESCRIPT.exe4 vs Quotation for Enq # 90038355.exe
PE file contains strange resources
Source: Quotation for Enq # 90038355.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Quotation for Enq # 90038355.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Quotation for Enq # 90038355.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Quotation for Enq # 90038355.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Quotation for Enq # 90038355.exe Virustotal: Detection: 32%
Source: Quotation for Enq # 90038355.exe ReversingLabs: Detection: 26%
Source: Quotation for Enq # 90038355.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe 'C:\Users\user\Desktop\Quotation for Enq # 90038355.exe'
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quotation for Enq # 90038355.exe.log Jump to behavior
Source: classification engine Classification label: mal100.spre.troj.spyw.evad.winEXE@3/2@2/1
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Mutant created: \Sessions\1\BaseNamedObjects\NFGbaNkhdbYRiBBEDhHWGl
Source: Quotation for Enq # 90038355.exe, Forms/mainForm.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.Quotation for Enq # 90038355.exe.e60000.0.unpack, Forms/mainForm.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.Quotation for Enq # 90038355.exe.e60000.0.unpack, Forms/mainForm.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Quotation for Enq # 90038355.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Quotation for Enq # 90038355.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Quotation for Enq # 90038355.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: Quotation for Enq # 90038355.exe, Forms/mainForm.cs .Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Quotation for Enq # 90038355.exe.e60000.0.unpack, Forms/mainForm.cs .Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Quotation for Enq # 90038355.exe.e60000.0.unpack, Forms/mainForm.cs .Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Code function: 0_2_0159B5D1 pushad ; retf 0_2_0159B5ED
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Code function: 0_2_0159F933 push esp; iretd 0_2_0159F939
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Code function: 0_2_0514289F push edx; retf 0_2_051428A0
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Code function: 0_2_05142898 push edx; retf 0_2_05142899
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_05E20BCE push ss; iretd 2_2_05E20BD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_066D3C2B push 0000001Ah; iretd 2_2_066D3C2D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_066D3DB5 push es; ret 2_2_066D3E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_066D9A5F push ss; iretd 2_2_066D9A65
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_066D5BE8 push ss; iretd 2_2_066D5BEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_066D41E1 push es; ret 2_2_066D41F4
Binary contains a suspicious time stamp
Source: Quotation for Enq # 90038355.exe Static PE information: 0xC4BE8666 [Mon Aug 6 22:36:22 2074 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.22138751359

Hooking and other Techniques for Hiding and Protection:

barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: icon2083.png
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.669711456.0000000003141000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Quotation for Enq # 90038355.exe PID: 5192, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Quotation for Enq # 90038355.exe, 00000000.00000002.669711456.0000000003141000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Quotation for Enq # 90038355.exe, 00000000.00000002.669711456.0000000003141000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe TID: 5416 Thread sleep time: -39332s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe TID: 3112 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6092 Thread sleep time: -14757395258967632s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5688 Thread sleep count: 9535 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5688 Thread sleep count: 315 > 30 Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 9535 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Thread delayed: delay time: 39332 Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Quotation for Enq # 90038355.exe, 00000000.00000002.669711456.0000000003141000.00000004.00000001.sdmp Binary or memory string: vmware
Source: Quotation for Enq # 90038355.exe, 00000000.00000002.669711456.0000000003141000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Quotation for Enq # 90038355.exe, 00000000.00000002.669711456.0000000003141000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Quotation for Enq # 90038355.exe, 00000000.00000002.669711456.0000000003141000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: Quotation for Enq # 90038355.exe, 00000000.00000002.669711456.0000000003141000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Quotation for Enq # 90038355.exe, 00000000.00000002.669711456.0000000003141000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Quotation for Enq # 90038355.exe, 00000000.00000002.669711456.0000000003141000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: Quotation for Enq # 90038355.exe, 00000000.00000002.669711456.0000000003141000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: MSBuild.exe, 00000002.00000002.935518873.000000000647B000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 438000 Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43A000 Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 10F6008 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: MSBuild.exe, 00000002.00000002.932796844.0000000001D40000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: MSBuild.exe, 00000002.00000002.932796844.0000000001D40000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: MSBuild.exe, 00000002.00000002.932796844.0000000001D40000.00000002.00020000.sdmp Binary or memory string: Progman
Source: MSBuild.exe, 00000002.00000002.932796844.0000000001D40000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Queries volume information: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.Quotation for Enq # 90038355.exe.420acc8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation for Enq # 90038355.exe.420acc8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.931030895.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.670463877.00000000043B4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.670112007.0000000004149000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.933029235.0000000003351000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Quotation for Enq # 90038355.exe PID: 5192, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 1848, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000002.00000002.933029235.0000000003351000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 1848, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.Quotation for Enq # 90038355.exe.420acc8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation for Enq # 90038355.exe.420acc8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.931030895.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.670463877.00000000043B4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.670112007.0000000004149000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.933029235.0000000003351000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Quotation for Enq # 90038355.exe PID: 5192, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 1848, type: MEMORYSTR
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.185.108.208
 mail.phoenixfinance.com.bd United States
46606 UNIFIEDLAYER-AS-1US true

Contacted Domains

Name IP Active
mail.phoenixfinance.com.bd 192.185.108.208 true